[Bug]: JWT validation does not work with requests larger than 1MB using JWKSUri as source for keys - POC

[nixx]

Version

edge

What Kubernetes platforms are you running on?

AKS Azure

Steps to reproduce

When using JWKs URI as source for JWKs a subrequest is used. The request limit for subrequests is the default 1MB and the client gets a 413 Payload to large.

The configuration is similar to:

jwt:
  realm: Realm
  token: $http_token
  jwksURI: https://location_of_jwt
  keyCache: 1h

This is a similar bug as #7876

[github-actions]

Hi @nixx thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

[vepatel]

hey @nixx, just to confirm that this is when setting client-max-body-size in VS upstream option only?
eg:

  upstreams:
  - name: webapp
    service: webapp-svc
    port: 80
    client-max-body-size: 2m

[nixx]

@vepatel correct

 upstreams:
  - client-max-body-size: 0m
     name: sizetest-upstream
     port: 80
     use-cluster-ip: true

Smaller requests (under 1MB) works fine. It should be quite easy to reproduce.

The genereated code for fetching the JWKs is:

    location = /_jwks_uri_server_XXXX {
        internal;
        proxy_method GET;
        proxy_set_header Content-Length "";
        proxy_cache jwks_uri_XXXX;
        proxy_cache_valid 200 12h;
        proxy_set_header Host XXXX
        set $idp_backend XXXX;
        proxy_pass https://$idp_backend/jwks;
    }

I would also expect the following directives to be set:

proxy_pass_request_headers off;
proxy_pass_request_body off;

As well SNI validation, but from what I can see, this will be fixed in #7993

[nixx]

An addional note: When testing with Curl, curl sets "Expect: 100-continue". This work fine, and we are not limited by size. However, clients not setting "Expect: 100-continue" seems to break the JWT-validation

[vepatel]

hey @nixx, can confirm that this is an issue we will be working on a fix!
as a work around for now, you can set client-max-body-size key in configmap (http-context) and it should persist across all child contexts.

As for setting:

proxy_pass_request_headers off;
proxy_pass_request_body off;

can I request if you can create a new feature request please as ideally we'd prefer them being customisable

[vepatel]

@nixx Can you please also confirm which IDP you're using? this'll help us test the fix better!

[nixx]

@nixx Can you please also confirm which IDP you're using? this'll help us test the fix better!

We have seen the same issue against EntraID, Maskinporten (norwegian governmental IdP) and other IdPs.